Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks

Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks

March 1, 2024 at 08:57AM

US government agencies issued a warning about ongoing Phobos ransomware attacks targeting critical infrastructure sectors. Operating since May 2019, Phobos employs a ransomware-as-a-service (RaaS) model, with tactics such as phishing emails, IP scanning, and use of remote access tools. Recommendations for mitigations and indicators of compromise are provided.

From the meeting notes, it is apparent that US government agencies have issued a warning about ongoing Phobos ransomware attacks targeting various critical infrastructure sectors. Phobos has been active since May 2019 and operates under the ransomware-as-a-service (RaaS) business model, successfully extorting millions of dollars from victim organizations. The ransomware is associated with variants such as Backmydata, Devos, Eight, Elking, and Faust, and has been deployed in conjunction with tools popular among cybercriminals.

The attacks typically start with phishing emails dropping IP scanning tools to identify vulnerable Remote Desktop Protocol (RDP) ports and then brute-forcing for access and company profiling. Threat actors leveraging Phobos have also deployed remote access tools to establish a connection within the compromised network. Additionally, the attackers use spoofed email attachments to deliver malicious payloads such as the SmokeLoader backdoor, which is then used to deploy Phobos and exfiltrate data from the victim’s network.

The joint advisory also notes that the attackers have been observed using legitimate executables to deploy additional payloads with elevated privileges, modifying system firewall configurations to bypass network defenses, and using various tools for reconnaissance, credential harvesting, and data exfiltration. Phobos has been observed identifying and deleting data backups to prevent recovery and encrypting all connected logical drives on the target machine.

Furthermore, the attacks involve extortion through email or voice calls to victims, and compromised organizations have been listed on Tor-based sites that also host allegedly stolen data. The advisory contains indicators of compromise (IoCs) that organizations can use to hunt for potential Phobos ransomware compromise, as well as recommended mitigations. The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents. This information provides a comprehensive overview of the Phobos ransomware attacks and emphasizes the importance of taking action to mitigate the risk of such incidents within organizations.

Full Article